Many major brand mobile apps not secure on Android, says study

Research from app development firm claims mobile apps from big-name brands are full of security holes that can expose sensitive information

In a study on mobile applications and their level of security, RIIS, LLC, a firm that specializes in mobile app development, said that some of the nation's top brands, including airlines, retail outlets, entertainment companies, and insurance companies, are producing applications for Android that place users and their personal information at risk.

The data comes from a study of twenty Android applications by RIIS, and how well they align to the OWASP Top 10. Of the twenty applications tested, only four were developed in such a way that when matched to the OWASP Top 10, they had no flaws at all. The other 16 however had at least one issue that could be problematic.

[Which smartphone is the most secure?]

Further, many of the applications tested are consumer focused, including Wal-Mart, Delta, Facebook, Geico, Ticketmaster, and Speedway. This means that the likelihood that they are on a given network is relatively high, especially the travel applications. The platform they're developed for is an important risk consideration too, as research from Strategy Analytics, says that global smartphone shipments grew to a record 230 million units in the second quarter of 2013, and more than 80 percent of them were running Android.

Delta's 'Fly Delta' application, along with Geico's application were the worst applications, with insecure data storage, poor authorization and authentication, broken cryptography, and sensitive information disclosure, issues discovered in each one.

When asked for additional details, Godfrey Nolan, the lead researcher in the study, told CSO that Delta's application stores the user's password in an encrypted in a SQLite database.

"However the key is in the APK which can be reverse engineered back into source code using some simple tools available on the internet," he explained.

As for the other problematic applications, Geico's tool also exposed login information, as did the app from Ticketmaster. The application form LiveNation doesn't use any encryption, and stored the login details in clear text.

CSO asked Nolan if he felt that the rush to adopt cloud and BYOD is creating an environment where mobile development teams are pushed to produce products and code, while security is added after the fact.

"I don't think this is even on the radar for most companies," he said.

In fact, when questioned by RIIS, Nolan said that many of the developers the spoke to reacted negatively, as if to say that the issues that were discovered were not something they were concerned with, thus trading security for usability.

[Slideshow: Mobile security: How gadgets evolved]

His advice is for security staff to apply mobile security scanning techniques such as those outlined in the OWASP Top 10, in order to ensure the organization knows what apps are insecure before allowing them to be installed on any BYOD or company devices.

However, on the other side of that coin, the applications developed by Wells Fargo, Chase, State Farm, and the Internal Revenue Service, were completely clean, and secured when judged against the OWASP list.

All things considered, RIIS says that the safest applications don't store any login information or sensitive user data on an Android device.

"It is common practice (and a fundamental security flaw) to store the username and password encrypted in a SQLite database or shared preferences folder with a hardcoded encryption key which can be found by decompiling the APK," the report adds.

The full report is available here, but registration is required.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags mobilemobile securitymobile applicationsAndroid OSRIIS

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Steve Ragan

CSO (US)
Show Comments

Cool Tech

Bang and Olufsen Beosound Stage - Dolby Atmos Soundbar

Learn more >

Toys for Boys

Sony WF-1000XM3 Wireless Noise Cancelling Headphones

Learn more >

Nakamichi Delta 100 3-Way Hi Fi Speaker System

Learn more >

ASUS ROG, ACRONYM partner for Special Edition Zephyrus G14

Learn more >

Family Friendly

Mario Kart Live: Home Circuit for Nintendo Switch

Learn more >

Philips Sonicare Diamond Clean 9000 Toothbrush

Learn more >

Stocking Stuffer

SunnyBunny Snowflakes 20 LED Solar Powered Fairy String

Learn more >

Teac 7 inch Swivel Screen Portable DVD Player

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?